ESET researchers uncover a brand new Lazarus backdoor deployed in opposition to a freight logistics agency in South Africa
ESET researchers have found a beforehand undocumented Lazarus backdoor, which they’ve dubbed Vyveva, getting used to assault a freight logistics firm in South Africa. The backdoor consists of a number of elements and communicates with its C&C server through the Tor community. Up to now, we now have been capable of finding its installer, loader and primary payload – a backdoor with a TorSocket DLL. The beforehand unknown assault was found in June 2020.
Though Vyveva has been used since at the least December 2018, its preliminary compromise vector remains to be unknown. Our telemetry knowledge suggests focused deployment as we discovered solely two sufferer machines, each of that are servers owned by a freight logistics firm situated in South Africa. The backdoor options capabilities for file exfiltration, timestomping, gathering details about the sufferer pc and its drives, and different frequent backdoor performance corresponding to operating arbitrary code specified by the malware’s operators. This means that the intent of the operation is most certainly espionage.
This blogpost supplies the primary public, technical evaluation of Vyveva’s elements.
Attribution to Lazarus
Vyveva shares a number of code similarities with older Lazarus samples which can be detected by ESET merchandise because the NukeSped malware household. Nonetheless, the similarities don’t finish there: using faux TLS in community communication, command line execution chains, and the best way of utilizing encryption and Tor providers all level in direction of Lazarus; therefore we are able to attribute Vyveva to this APT group with excessive confidence.
An instance of the quite a few code similarities might be seen in Determine 1 – resolving uniquely named Tor library exports.
- 92F5469DBEFDCEE1343934BE149AFC1241CC8497 msobjs.drx Vyveva backdoor
- BF98EA1326E5F8C351E68C79B5D1E0164C7BE728 taskhosts.exe Win32/NukeSped.HV trojan
Technical evaluation
Up till now, we now have managed to search out three of the a number of elements comprising Vyveva – its installer, loader and backdoor. The installer is the earliest chronological stage discovered and because it expects different elements to be already current on the machine, it suggests the existence of an earlier, unknown stage – a dropper. The loader serves to decrypt the backdoor utilizing a easy XOR decryption algorithm.
Determine 2 supplies a more in-depth take a look at the performance of the installer, the backdoor, and the Tor library.
Installer
The primary functions of the installer are twofold: it creates a service that ensures persistence of the backdoor loader, and it shops the embedded, default backdoor configuration within the registry.
To create a legitimate-looking service, its attributes, corresponding to service identify and show identify, are shaped utilizing a mixture of phrases from the attributes of current providers, that are randomly chosen. It is usually doable to specify these attributes to the installer through command line parameters -dll, -svc, -disp, -desc, and -group. We noticed the next within the wild, with these parameters:
<SYSDIR>powerctl.exe -svc powerctl -dll powerctl.dll
As for the latter process, the installer first units the configuration an infection ID, which uniquely identifies every sufferer, to a randomly generated worth, after which shops it within the registry, as proven in Determine 3.
[HKLMSOFTWAREMicrosoftDirectX]
UsageMask = <CONFIG_DATA>
Determine 3. Configuration registry worth
One of many entries within the configuration is a listing of encrypted C&C servers: for instance, the installer pattern we analyzed is configured with the next C&Cs:
- 4bjt2rceijktwedi[.]onion:80
- cwwpxpxuswo7b6tr[.]onion:80
Backdoor performance
The backdoor, Vyveva’s primary part, connects to C&C servers and executes instructions issued by the risk actors. It options 23 instructions, a few of that are asynchronous and executed in their very own threads. Most of them are atypical instructions for file and course of operations or info gathering, however there’s additionally a much less frequent command for file timestomping. It could actually copy creation/write/entry time metadata from a “donor” file to a vacation spot file or use a random date within the years 2000—2004.
Different noteworthy instructions are Vyveva’s file add command, and command 0x26. The file add command is able to exfiltrating directories recursively and helps file extension filtering – for instance, Workplace paperwork solely. As for command 0x26, it signifies the existence of one other, unknown part that we now have not but noticed on the time of writing.
The total listing of instructions is proven in Desk 1.
Desk 1. Vyveva backdoor instructions
ID | Description |
---|---|
0x03 | Reply to “ping” from server |
0x10 | Get details about pc – username, pc identify, IP, code web page, OS model, OS structure, tick depend, time zone, present listing |
0x11 | Get details about drives – sort, dimension, identify, serial quantity, filesystem sort |
0x12 | Write knowledge to specified file, optionally timestomp. |
0x13 | Add specified file or listing • File – dimension, final write time, content material • Listing stats – complete information dimension, file depend, listing depend - For every entry – identify, attributes - Directories – recurse into directories - Recordsdata – dimension, final write time, content material Choices |
0x14 | Get itemizing of specified listing • identify, attributes, write time • Directories – is nonempty • Recordsdata – dimension |
0x15 | Set present listing to specified listing |
0x16 | Create specified course of |
0x17 | Get details about operating processes – PID, PPID, executable file path |
0x18 | Terminate course of(es) by PID or executable file path |
0x19 | Create course of with redirected output and add the output The command makes use of a format string which hints at execution by way of cmd.exe • “%param0% /c “%param1% > %tmp_fpath%” 2>&1″ If the output is empty, distinctive string “<NO RESULT!>rn” is uploaded as an alternative |
0x1A | Delete specified path. File deletion strategies: • delete solely • overwrite & transfer & delete |
0x1B | Copy creation/write/entry time metadata from supply file or listing to vacation spot file or listing. If the supply doesn’t exist, random time in yr 2000-2004 is used for creation & final write time, entry time is unchanged. |
0x1C | Get data about specified path: • File – attributes, creation/write/entry time, sort, dimension • Listing / Drive – complete information dimension, file depend, listing depend (with non-obligatory extension filtering and recursion) |
0x1D | Set present configuration blob, save to registry |
0x1E | Get present configuration blob |
0x1F | Allow/disable drive watchdog (configuration subject enable_drive_watchdog) |
0x20 | Allow/disable session watchdog (configuration subject enable_session_watchdog) |
0x21 | Set configuration worth associated to delay of backdoor execution (configuration subject delay_until_time) |
0x23 | Retailer knowledge utilized by asynchronous command (associated to instructions 0x12, 0x13) |
0x24 | Cease executing asynchronous command (associated to instructions 0x12, 0x13) |
0x25 | Set configuration worth associated to delay between failed C&C connection makes an attempt (configuration subject wait_minutes) |
0x26 | If <SYSDIR>wsdchngr.drx exists • Delete configuration registry worth • Delete backdoor file (self delete) • Delete loader file • Learn, decrypt, PE-load wsdchngr.drx and name SamIPromote export in a brand new thread • Exit present thread |
Of specific curiosity are the backdoor’s watchdogs, which might be optionally enabled or disabled. There’s a drive watchdog used to watch newly linked and disconnected drives, and a session watchdog monitoring the variety of energetic classes (i.e. logged-on customers). These elements can set off a connection to the C&C server exterior the common, preconfigured three-minute interval, and on new drive and session occasions.
Configuration
The configuration of the backdoor, which is initially set by the installer, is learn from the registry worth (proven in Determine 3). When the configuration is modified by a C&C command, the worth saved within the registry is up to date. An instance configuration and its construction are proven in Determine 4.
The wait_minutes subject specifies the time to attend earlier than subsequent connection to the C&C after a failed connection try. If the execution of the backdoor must be delayed till a specific time and date, it may be specified within the delay_until_time subject. The encrypted_cncs subject is an encrypted string, which comprises semicolon-separated C&Cs.
Tor library
Vyveva makes use of the Tor library, which is predicated on the official Tor supply code, to speak with a C&C server chosen at random from the configuration. It contacts the C&C at three-minute intervals, sending details about the sufferer pc and its drives earlier than receiving instructions. The backdoor’s export listing comprises the TorSocket.dll with self-explanatory exports close_ch, connect_ch, open_ch, read_ch, write_ch.
Conclusion
Vyveva constitutes one more addition to Lazarus’s intensive malware arsenal. Attacking an organization in South Africa additionally illustrates the broad geographical concentrating on of this APT group.
For any inquiries, or to make pattern submissions associated to the topic, contact us at threatintel@eset.com.
Indicators of Compromise (IoCs)
Samples
SHA-1 | Filename | ESET detection identify | Description |
---|---|---|---|
DAD50AD3682A3F20B2F35BE2A94B89E2B1A73067 | powerctl.exe | Win32/NukeSped.HX | Installer |
69529EED679B0C7F1ACC1FD782A4B443CEC0CF83 | powerctl.dll | Win32/NukeSped.HX | Loader (x86) |
043ADDFB93A10D187DDE4999D78096077F26E9FD | wwanauth.dll | Win64/NukeSped.EQ | Loader (x64) |
1E3785FC4FE5AB8DAB31DDDD68257F9A7FC5BF59 | wwansec.dll | Win32/NukeSped.HX | Loader (x86) |
4D7ADD8145CB096359EBC3E4D44E19C2735E0377 | msobjs.drx | – | Backdoor (encrypted) |
92F5469DBEFDCEE1343934BE149AFC1241CC8497 | msobjs.drx | Win32/NukeSped.HX | Backdoor (decrypted with fastened MZ header) |
A5CE1DF767C89BF29D40DC4FA6EAECC9C8979552 | JET76C5.tmp | – | Backdoor Tor library (encrypted) |
66D17344A7CE55D05A324E1C6BE2ECD817E72680 | JET76C5.tmp | Win32/NukeSped.HY | Backdoor Tor library (decrypted with fastened MZ header) |
Filenames
%WINDIRpercentSystem32powerctl.exe
%WINDIRpercentSysWOW64powerctl.exe
%WINDIRpercentSystem32power.dat
%WINDIRpercentSysWOW64power.dat
%WINDIRpercentSystem32wwanauth.dll
%WINDIRpercentSysWOW64wwanauth.dll
%WINDIRpercentSystem32wwansec.dll
%WINDIRpercentSysWOW64wwansec.dll
%WINDIRpercentSystem32powerctl.dll
%WINDIRpercentSysWOW64powerctl.dll
%WINDIRpercentSystem32JET76C5.tmp
%WINDIRpercentSysWOW64JET76C5.tmp
%WINDIRpercentSystem32msobjs.drx
%WINDIRpercentSysWOW64msobjs.drx
MITRE ATT&CK methods
This desk was constructed utilizing version 8 of the MITRE ATT&CK framework.
Tactic | ID | Title | Description |
---|---|---|---|
Execution | T1569.002 | System Providers: Service Execution | Vyveva loader executes through a service. |
T1106 | Native API | Vyveva backdoor makes use of the CreateProcessA API to execute information. | |
Persistence | T1543.003 | Create or Modify System Course of: Home windows Service | Vyveva installer creates a brand new service to determine persistence for its loader. |
Protection Evasion | T1140 | Deobfuscate/Decode Recordsdata or Data | Vyveva decrypts strings and elements (backdoor, Tor library). |
T1070.006 | Indicator Elimination on Host: Timestomp | Vyveva backdoor can timestomp information. | |
T1036.004 | Masquerading: Masquerade Job or Service | Vyveva installer can create a service with attributes mimicking current providers. | |
T1112 | Modify Registry | Vyveva shops its configuration within the registry. | |
T1027 | Obfuscated Recordsdata or Data | Vyveva has encrypted strings and elements. | |
Discovery | T1083 | File and Listing Discovery | Vyveva backdoor can acquire file and listing listings. |
T1057 | Course of Discovery | Vyveva backdoor can listing operating processes. | |
T1082 | System Data Discovery | Vyveva backdoor can acquire system info, together with pc identify, ANSI code web page, OS model and structure. | |
T1016 | System Community Configuration Discovery | Vyveva backdoor can acquire the native IP handle of the sufferer pc. | |
T1033 | System Proprietor/Person Discovery | Vyveva backdoor can acquire sufferer’s username. | |
T1124 | System Time Discovery | Vyveva backdoor can acquire system time and time zone. | |
Assortment | T1560.002 | Archive Collected Knowledge: Archive through Library | Vyveva backdoor can compress information with zlib earlier than sending to C&C. |
T1005 | Knowledge from Native System | Vyveva backdoor can accumulate information from pc. | |
T1025 | Knowledge from Detachable Media | Vyveva backdoor can notify C&C about newly inserted detachable media and accumulate information from them. | |
Command and Management | T1573.001 | Encrypted Channel: Symmetric Cryptography | Vyveva backdoor encrypts C&C visitors utilizing XOR. |
T1573.002 | Encrypted Channel: Uneven Cryptography | Vyveva backdoor communicates with C&C through Tor. | |
Exfiltration | T1041 | Exfiltration Over C2 Channel | Vyveva exfiltrates knowledge to C&C server. |